Business Associate Agreement

Effective: March 27, 2026

Request a BAA

Wingman Health executes Business Associate Agreements with all covered entities prior to accessing or processing any Protected Health Information. To request a BAA for your practice, please contact us.

Request BAA

1. Definitions

This Business Associate Agreement ("BAA") is entered into between Wingman Health, LLC ("Business Associate") and the healthcare practice or covered entity ("Covered Entity") that subscribes to Wingman Health's services. Terms used but not otherwise defined in this Agreement shall have the same meaning as those terms in the HIPAA Rules (45 CFR Parts 160 and 164).

2. Obligations of Business Associate

Business Associate agrees to:

  • Not use or disclose Protected Health Information (PHI) other than as permitted or required by this Agreement or as required by law
  • Use appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report to Covered Entity any use or disclosure of PHI not provided for by this Agreement
  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions and conditions
  • Make PHI available to Covered Entity as required by the HIPAA Privacy Rule
  • Make PHI available for amendment and incorporate amendments as required
  • Provide an accounting of disclosures as required
  • Make internal practices, books, and records available to the Secretary of HHS for determining compliance

3. Permitted Uses and Disclosures

Business Associate may use or disclose PHI only to:

  • Perform services on behalf of Covered Entity as specified in the Services Agreement
  • Facilitate referral placement and prior authorization processing
  • Provide analytics and reporting to Covered Entity regarding their referral operations
  • Carry out legal responsibilities of Business Associate

4. Minimum Necessary Standard

Business Associate shall request, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose. The Wingman Health browser extension is designed to process data locally whenever possible, minimizing PHI transmission.

5. Security Measures

Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI, including but not limited to:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Multi-factor authentication for system access
  • Comprehensive audit logging
  • Regular security risk assessments

6. Breach Notification

Business Associate shall notify Covered Entity within 24 hours of discovering a breach of unsecured PHI. The notification shall include the identification of each individual whose PHI has been or is reasonably believed to have been affected, a description of the breach, and the steps being taken to mitigate harm.

7. Term and Termination

This Agreement shall be effective for the duration of the Services Agreement. Upon termination, Business Associate shall return or destroy all PHI received from Covered Entity, or created or received on behalf of Covered Entity. If return or destruction is not feasible, protections under this Agreement shall extend to such PHI.

8. Governing Law

This Agreement shall be governed by the laws of the State of Texas and applicable federal law, including HIPAA and the HITECH Act.

9. Contact Information

For questions about this BAA or to request execution of a BAA for your practice:

Wingman Health, LLC
Privacy Officer
San Antonio, Texas
Email: [email protected]
Phone: (210) 744-8543